Believe it or not, information security professionals could learn some lessons from the health and wellness industry. The practice of preventative care can and should be transferred to the information security profession.
According to the American College of Preventive Medicine, preventive medicine is defined as “a practice by all physicians to keep their patients healthy“. Common best practice for preventive medicine includes developing an awareness and maintaining proper hygiene. Most of the time, people don’t want to get sick. Some people don’t have the insurance coverage to help pay for the costs and some people want to avoid the hassle of having to set up an appointment (which usually ends up being at an inconvenient time), and would much rather stay healthy.
Similar to the maintenance of health, the maintenance of “cyber health” for organizations is critically important. Proper security hygiene is especially importance because just like when people get a virus, “infected devices have a way of infecting other devices and compromised systems can make everyone vulnerable“. Proper risk management in organizations should always begin with preventive measures. Business leaders should use preventive medicine in healthcare as a model to demonstrate the necessity of preventive cybersecurity measures in businesses as an important investment.
There is so much in common between preventive medicine in healthcare and preventive measures in cybersecurity. First of all, there is often an accusation that preventive measures cost more than the treatment itself. A report from the New England Journal of Medicine stated that “sweeping statements about the cost-saving potential of prevention, are overarching“. Most notably, screening costs for illnesses that are only present in a small percentage of the population will only increase overall healthcare costs. In cybersecurity, this may be true as well. The cost of establishing, implementing, and maintaining a cybersecurity framework has a continuous operational expense and may get de-prioritized in favor of other urgent investments in the business.
However, the report in the New England Journal of Medicine further stated that “researchers have found that although high-technology treatments for existing conditions can be expensive, such measures may, in certain circumstances, also represent efficient use of resources“. Efficient use of resources should become the focal point for organizations contemplating whether they should or should not invest in a cybersecurity program.
“Cyber health” should become a new measure of an organizations preparedness for threats. With efficient use of resources (ie investment in a proper cybersecurity framework right-sized to appropriate threats and business goals), organizations will have the opportunities to keep pace with and prepare for the continuously changing cyber threat environment. Incorporating best practice frameworks and controls to not only prepare for attacks but also identify any vulnerabilities that are happening will be a continuously important topic in business.